Reputation: 343
Registry Filter Driver for XP
I want to make a registry filter driver specifically for Windows XP. I know there is an example in the official WinDDK but it only works on Windows 7.
Is it even possible to develop a registry filter driver for windows xp ? Any kind of code/pointers will be highly appreciated.
Upvotes: 2
Views: 504
Answers (3)
Reputation: 897
Yes, it is possible altought I would not recommend it.
First, you have to hook SSDT. Please notice that hooking SSDT is not supported in XP 64 bits (Patch Guard), you have to understand what are you doing (BSOD hook), is not portable and your software can be marked as malware.
Second, you need to do reverse engineering of Key Control Blocks. When two different apps open the same key, they get two different handles but they KCB is unique for both threads. KCB is an opaque structure so WinDbg is your friend here.
Upvotes: 0
Reputation: 392
You can also hook the registry API functions using Microsoft Detours (or similar package). This is no easy task to get correct (still finding the bugs) but if you are up for writing drivers then this is no different in complexity. Just less blue screens. Look at hooking the Nt or Zw functions in ntdll.
Upvotes: 0
Reputation: 5635
No this is not possible. For Windows XP you need to hack the kernel API table. This is not recommended, but for windows XP it is the only option. This is how the Sysinternals RegMon program used to work.
Upvotes: 0
Related Questions
- Installing Filter Drivers To An Existing Device
- Solution for creating a firewall filter layer (c/c++) on Windows?
- How Debug File System Minifilter Driver on WDK 7.1
- file filter driver intereres page file
- Test and Debug a driver
- Is there an equivalent of RegQueryInfoKey for Windows Kernel Mode Drivers?
- Windows File System Filter Driver
- using Windows Filtering Platform in Kernel Driver
- Alternatives to Windows 7 device ContainterIDs
- Device driver code signing for windows XP 32 bit